Cookies and similar technologies (e.g. web beacons or tags) are regulated by two main legal instruments:
- the General Data Protection Regulation (‘GDPR’) which applies to all personal data processed; and
In practice, placing cookies or similar technologies is regulated by the ePrivacy Directive, but the personal data collected by them may serve to identify individuals and therefore falls under the GDPR. Also, the consent to cookies must fulfill the requirements for valid consent under the GDPR. This means that direct marketing practices must be entirely compliant with both.
Importantly, the European Data Protection Board has confirmed that the Directive will take precedence over general provisions of the GDPR in cases where it particularises the rules set out in the GDPR. For example, the Directive specifically requires prior consent for the collection of data via the setting of cookies, so the other, more general, legal grounds for processing in the GDPR cannot be relied on.
If consent is required, what is consent?
Before setting any cookies on a website and collecting any data from a user’s device, consent must be obtained. Pursuant to the GDPR, this consent must be freely given, specific, informed and unambiguous in order to be valid.
- Freely given. This excludes any cases where the end user is forced into giving consent (such as “cookie walls”).
- Specific. This requires consent to be given for each type of cookie based on their specific purpose, so social media cookies need to be consented to separately from e.g. functional cookies.
- Informed. The end user must be made aware of what they are consenting to, and certain specific information must be given.
- Unambiguous. This requires clear affirmative action, so pre-ticked boxes are not considered valid.
What cookies require consent?
The ePrivacy Directive doesn’t require consent for so called “strictly necessary cookies”, those that are generally set solely to ensure the functioning of the website. These may for example include cookies aimed at authentication, cookies that store the contents of a shopping basket or cookies that allow paying websites to limit free access to their content to a certain quantity and/or for a certain limited time period. Otherwise, any other types of cookies that are not strictly necessary require consent.
What is “freely given” consent?
Other considerations such as cookie walls which block a visitor’s access to a website unless they consent have not as yet been interpreted by case law. However, we believe that in most cases this would not be considered freely given consent, and therefore not allowed, since a cookie wall more or less forces the user to accept cookies in order to use the website.
By the same token, consent is not considered freely given and valid if the user cannot modify their choices at any time, and withdraw their consent to the setting of cookies. It must be as easy to withdraw consent as it is to give consent, so such settings should be easily accessible and available at all times throughout the user’s browsing. A lot of websites only address this by referring users to their browser settings. However, the Spanish Data Protection Authority recently fined a company who did this, so it may no longer be considered sufficient to be compliant. Instead, a consent mechanism allowing users to modify their settings directly in the webpage may be preferred and thus strongly recommended.
How specific should it be?
Consent should be obtained separately for each type of cookie which follows a specific purpose. This requires distinguishing, for example, between cookies for social media, performance/analytics and tracking. The user must be given the option to consent to each category/purpose individually by ticking separate boxes. At the moment, certain supervisory authorities have confirmed that this is sufficient, and that consent per each individual cookie is not strictly required.
What information should be given?
What does affirmative action mean?
Is the end of cookies near?
Supervisory authorities appear to be tightening down on cookies and appropriate consent mechanisms, both following complaints and on their own initiative, meaning that it is all the more important to implement proper compliant consent flows. In addition to this, increased privacy concerns may mean that the future holds something very different for cookies. An example of this is Intelligent Tracking Prevention (ITP), implemented by Apple, which initially aimed to block third-party cookies from collecting cross-site browsing data for ad targeting purposes. Its most recent update, ITP 2.2, has been developed to deprecate certain first party client-side cookies after 24 hours, becoming increasingly privacy enhancing. Other browsers such as Firefox and Chrome are also taking action in this area. This presents challenges for the future of data collection for digital marketing purposes.
To summarise, the following points are worth paying attention to:
- Be proactive: ensuring compliance with applicable legislation is crucial, so staying up to date with any developments is essential.
- Be informed: companies should be diligent and should for example know what data are being processed or which cookies are being placed on their websites or apps. You should also be aware of any applicable policies on platforms used in digital marketing. Compliance with these is important in order to keep using such tools in accordance with their terms and conditions.
- Use a consent mechanism that ensures a compliant consent flow for cookies. Remember that:
- consent must be opt-in: pre-checked boxes are not valid;
- consent should be granular, meaning that end users should at least consent to each type of cookies based on their purpose;
- consents must be recorded;
- it should be as easy to withdraw consent as it is to give it. End users should be able to modify their consent settings easily, and at all times, directly on your website or app.
- Be transparent as part of your compliance: make sure your policies, notices and cookie prompts are appropriate and up to date. They should:
- be clearly written and accessible to the target audience;
- reference the correct applicable legislation and supervisory authority;
- be specific and adapted to your activities;
- provide all necessary information to end users (for example how to withdraw consent, duration of the cookies, and other required details);
- easily available on the website.
Further information and resources that may be of interest: